Branch: refs/heads/master
Home: https://github.com/NixOS/nix
Commit: ad8b96f1f2c80bf3f91ceab4d955aa368b7c85d4
https://github.com/NixOS/nix/commit/ad8b96f1f2c80bf3f91ceab4d955aa368b7c85d4
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-07-04 (Tue, 04 Jul 2017)
Changed paths:
M src/nix/installables.cc
Log Message:
-----------
Fix handling of expression installables with a / in them
Commit: 6cf23c3e8fa12e6bf297ca87d1b47889bf115d52
https://github.com/NixOS/nix/commit/6cf23c3e8fa12e6bf297ca87d1b47889bf115d52
Author: Eelco Dolstra <edols...@gmail.com>
Date: 2017-07-04 (Tue, 04 Jul 2017)
Changed paths:
M doc/manual/command-ref/conf-file.xml
M src/libstore/build.cc
M src/libstore/globals.hh
Log Message:
-----------
Add allow-new-privileges option
This allows builds to call setuid binaries. This was previously
possible until we started using seccomp. Turns out that seccomp by
default disallows processes from acquiring new privileges. Generally,
any use of setuid binaries (except those created by the builder
itself) is by definition impure, but some people were relying on this
ability for certain tests.
Example:
$ nix build '(with import <nixpkgs> {}; runCommand "foo" {}
"/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --no-allow-new-privileges
builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with
exit code 1; last 2 log lines:
cannot raise the capability into the Ambient set
: Operation not permitted
$ nix build '(with import <nixpkgs> {}; runCommand "foo" {}
"/run/wrappers/bin/ping -c 1 8.8.8.8; exit 1")' --allow-new-privileges
builder for ‘/nix/store/j0nd8kv85hd6r4kxgnwzvr0k65ykf6fv-foo.drv’ failed with
exit code 1; last 6 log lines:
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=15.2 ms
Fixes #1429.
Compare: https://github.com/NixOS/nix/compare/c0015e87af70...6cf23c3e8fa1_______________________________________________
nix-commits mailing list
nix-comm...@lists.science.uu.nl
https://mailman.science.uu.nl/mailman/listinfo/nix-commits
